tls: Purge async_hold in tls_decrypt_async_wait()_CVE-2026-23414

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

tls: Purge async_hold in tls_decrypt_async_wait()

The async_hold queue pins encrypted input skbs while
the AEAD engine references their scatterlist data. Once
tls_decrypt_async_wait() returns, every AEAD operation
has completed and the engine no longer references those
skbs, so they can be freed unconditionally.

A subsequent patch adds batch async decryption to
tls_sw_read_sock(), introducing a new call site that
must drain pending AEAD operations and release held
skbs. Move __skb_queue_purge(&ctx->async_hold) into
tls_decrypt_async_wait() so the purge is centralized
and every caller -- recvmsg's drain path, the -EBUSY
fallback in tls_do_decryption(), and the new read_sock
batch path -- releases held skbs on synchronization
without each site managing the purge independently.

This fixes a leak when tls_strp_msg_hold() fails part-way through,
after having added some cloned skbs to the async_hold
queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to
process all pending decrypts, and drop back to synchronous mode, but
tls_sw_recvmsg() only flushes the async_hold queue when one record has
been processed in "fully-async" mode, which may not be the case here.

[[email protected]: added leak comment]

Basic Information

ID CVE-2026-23414

Source Linux

Published Apr 2, 2026 at 11:40

Modified Apr 27, 2026 at 14:02

Affected Product

Vendor Linux

Product Linux

Version 9f83fd0c179e0f458e824e417f9d5ad53443f685

Affected Versions Linux Linux 9f83fd0c179e0f458e824e417f9d5ad53443f685
Linux Linux c61d4368197d65c4809d9271f3b85325a600586a
Linux Linux 39dec4ea3daf77f684308576baf483b55ca7f160
Linux Linux b8a6ff84abbcbbc445463de58704686011edc8e1
Linux Linux b8a6ff84abbcbbc445463de58704686011edc8e1
Linux Linux b8a6ff84abbcbbc445463de58704686011edc8e1
Linux Linux 4fc109d0ab196bd943b7451276690fb6bb48c2e0
Linux Linux 6.18

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Purge async_hold in tls_decrypt_async_wait()\n\nThe async_hold queue pins encrypted input skbs while\nthe AEAD engine references their scatterlist data. Once\ntls_decrypt_async_wait() returns, every AEAD operation\nhas completed and the engine no longer references those\nskbs, so they can be freed unconditionally.\n\nA subsequent patch adds batch async decryption to\ntls_sw_read_sock(), introducing a new call site that\nmust drain pending AEAD operations and release held\nskbs. Move __skb_queue_purge(&ctx->async_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg's drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[[email protected]: added leak comment]",
    "published": "2026-04-02T11:40:55.746Z",
    "modified": "2026-04-27T14:02:13.069Z",
    "type": "cve",
    "title": "tls: Purge async_hold in tls_decrypt_async_wait()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/ac435be7c7613eb13a5a8ceb5182e10b50c9ce87\nhttps://git.kernel.org/stable/c/2dcf324855c34e7f934ce978aa19b645a8f3ee71\nhttps://git.kernel.org/stable/c/6dc11e0bd0a5466bcc76d275c09e5537bd0597dd\nhttps://git.kernel.org/stable/c/9f557c7eae127b44d2e863917dc986a4b6cb1269\nhttps://git.kernel.org/stable/c/fd8037e1f18ca5336934d0e0e7e1a4fe097e749d\nhttps://git.kernel.org/stable/c/84a8335d8300576f1b377ae24abca1d9f197807f",
    "id": "CVE-2026-23414",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 9f83fd0c179e0f458e824e417f9d5ad53443f685\nLinux Linux c61d4368197d65c4809d9271f3b85325a600586a\nLinux Linux 39dec4ea3daf77f684308576baf483b55ca7f160\nLinux Linux b8a6ff84abbcbbc445463de58704686011edc8e1\nLinux Linux b8a6ff84abbcbbc445463de58704686011edc8e1\nLinux Linux b8a6ff84abbcbbc445463de58704686011edc8e1\nLinux Linux 4fc109d0ab196bd943b7451276690fb6bb48c2e0\nLinux Linux 6.18",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "9f83fd0c179e0f458e824e417f9d5ad53443f685",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply